 |
» |
|
|
|
Below is a summary of how to configure LDAP-UX Client Services with Netscape Directory Server 6.x. For a default configuration, see Quick Configuration. For a custom configuration, see Custom Configuration for more information. | | | |  | NOTE: The setup program has only been certified with Netscape Directory Server 6.x, Red Hat Directory Server 7.x and Windows 2000/2003/2003 R2 Active Directory Sever. See the LDAP-UX Integration B.04.10 Release Notes (P/N J4269-90063).The LDAP-UX Client Services B.04.00 or later supports storage of automount maps and publickeys on Netscape /Red Hat Directory Server 6.x and 7.0/7.1. See the LDAP-UX Integration B.04.10 Release Notes (P/N J4269-90065). | | | | |
Run the Setup program. The setup program provides the following assistance: Extends your Netscape/Red Hat directory schema with the configuration profile schema, if not already done Imports the LDAP printer schema into your Directory Server if you choose to start the LDAP printer configurator Imports the publickey schema into your Directory Server if you choose to store the public keys of users and hosts in an LDAP directory Imports the new automount schema into your Directory Server if you choose to store the AutoFS maps in an LDAP directory Provides the option to enable SSL for secure communication between LDAP clients and Directory servers Optionally configures SASL Digest-MD5 authentication (for Netscape/Red Hat Directory only) Creates a configuration profile entry in your directory server from information you provide Updates the local client's start-up file (/etc/opt/ldapux/ldapux_client.conf) with your directory and configuration profile location Downloads the configuration profile from the directory to your local client system Configures a proxy user for the client, if needed Starts the Client Daemon if you choose to start it
| | | |  | IMPORTANT: Starting with LDAP-UX Client Services B.03.20, the client daemon, /opt/ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. | | | | |
Configure the Pluggable Authentication Module (PAM) by modifying the file /etc/pam.conf. See /etc/pam.ldap for a sample. Configure the Name Service Switch (NSS) by modifying the file /etc/nsswitch.conf. See /etc/nsswitch.ldap for a sample. Optionally modify the disable_uid_range flag in the /etc/opt/ldapux/ldapux_client.conf file to disable logins to the local system from specific users. Optionally configure the authorization of one or more subgroups from a large repository such as an LDAP directory server. For the detailed information on how to set up the policy file, /etc/opt/ldapux/pam_authz.policy, see Policy File.
After you configure your directory and the first client system, configuring additional client systems is simpler. Refer to Configure Subsequent Client Systems for more information. Quick Configuration | |
You can quickly configure a Netscape/Rat Hat directory and the first client by letting most of the configuration parameters take default values as follows. For a custom configuration, see Custom Configuration. The steps described below assume that you don't use SSL or TLS support with LDAP-UX. If you want to enable SSL support, see Custom Configuration. Log in as root and run the Setup program: cd /opt/ldapux/config
./setup |
The Setup program asks you a series of questions and usually provides default answers. Press the Enter key to accept the default, or change the value and press Enter. At any point during setup, enter Control-b to back up or Control-c to exit setup. Choose the Directory Server as your LDAP directory server (option 1). Enter either the host name or IP address of the directory server where your profile exists, or where you want to create a new profile from Configuration Worksheet. Enter the port number of the previously specified directory server that you want to store the profile from Configuration Worksheet. The default port number is 389. If the profile schema has already been imported, setup skips this step. Otherwise, enter "yes" to extend the profile schema if the schema has not been imported with LDAP-UX Client Services object class DUAConfigProfile, See LDAP-UX Client Services Object Classes for a detailed description of this object class. If the LDAP printer schema has already been extended, setup skips this steps. Otherwise, enter "yes" to extend the LP printer schema if you choose to start the printer configurator. The LDAP printer configurator is a feature that simplifies the LP printer management by refreshing LP printer configurations on your client system. A new printer schema, which is based on IETF<draft-fleming-ldap-printer-schema-02.txt>, is required to start the services. If the publickey schema has already extended, setup skips this step. Otherwise, enter "yes" to extend the publickey schema if you choose to store the public keys of users and hosts in the LDAP directory. A publickey schema, which is based on RFC 2307-bis is required to migrate the publickeys in the NIS+ credential table entries on the NIS+ server to the LDAP directory. If the new automount schema has already been imported, setup skips to step 9. Otherwise, you will be asked whether or not you want to install the new automount schema which is based on RFC 2307-bis. Enter "yes" if you want to import the new automount schema into the LDAP directory server. Enter "no" if you do not want to import new automount schema into the LDAP directory server. Setup skips to step 9 if you enter "no". Next, if the setup program detects the obsolete automount schema exists in the LDAP directory, it will prompt you for the information shown as follows: The obsolete automount schema exists in the directory.
If you still want to use the new automount schema, you must
perform the following steps:
1. Exit this program
2. Stop directory server
3. Remove the obsolete automount schema:
a. objectclass- automount
b. attribute-automountInformation
Note: for Netscape Directory Server, they are in 10rfc2307.ldif.
4. Start directory and re-run setup program to install the new
automount schema.
Do you still want to use the new automount schema?
Press Yes will exit this program. {YES]: |
Reply "yes" when asked do you still want to use the new automount schema. If you reply yes, it will take you to exit this program. You must re-run the setup program again to install the new automount schema after you exit this program and manually delete the obsolete automount schema. For detailed information on how to remove the obsolete automount schema, see Removing The Obsolete Automount Schema. If you reply no, setup skips to step 9 and the new automount schema will not be imported. Otherwise, you will be asked to enter the DN (Distinguished Name) and password of the directory user who can import the schema into the LDAP directory. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=profile1,ou=profiles,o=hp,com, then ou=profiles,o=hp.com must exist in the directory or setup will fail. Next enter either the DN of a new profile, or the DN of an existing profile you want to use, from Configuration Worksheet. To display all the profiles in the directory, use a command like the following: ldapsearch -b o=hp.com objectclass=DUAConfigProfile dn |
If you are using an existing profile, setup configures your client, downloads the profile, and exits. In this case, continue with step 12 below. If you are creating a new profile, enter the DN and password of the directory user who can create a new profile from Configuration Worksheet. Next, it will prompt you for the following information: Select authentication method for users to bind/authenticate to
the server
1. SIMPLE
2. SASL DIGEST-MD5
To accept the default shown in brackets, press the Return key.
Authentication method: [1]: |
Press the return key if you choose to accept SIMPLE authentication method, type 2 if you choose SASL DIGEST-MD5 authentication method for the following prompt: Authentication method: [1]: |
Next enter the host name and port number of the directory where your name service data is, from Configuration Worksheet. For high availability, each LDAP-UX client can look for name service data in up to three different directory hosts. You can enter up to three hosts, to be searched in order. Enter the base DN where clients should search for name service data from Configuration Worksheet. You can quickly configure a Directory Server and the first client by accepting the remaining default configuration parameters when prompted. If you want to use the SASL DIGEST-MD5 authentication method, you need to configure a proxy user with its credential level. Using the SASL DIGEST-MD5 authentication, the password must be stored in the clear text in the LDAP directory. Configuration Parameter Default Values shows the configuration parameters and the default values they will be configured with.
Table 2-1 Configuration Parameter Default Values Parameter | Default Value |
|---|
Type of client binding | Anonymous | | Bind time limit | 5 seconds | | Search time limit | no limit | | Use of referrals | Yes | | Profile TTL (Time To Live) | 0 - infinite | | Use standard RFC-2307 object class attributes for supported services | Yes | | Use default search descriptions for supported services | Yes | Authentication method | Simple |
To change any of these default values, refer to Custom Configuration. After entering all the configuration information, setup extends the schema, creates a new profile, and configures the client to use the directory. Configure the Pluggable Authentication Module (PAM). Save a copy of the file /etc/pam.conf and edit the original to specify LDAP authentication and other authentication methods you want to use. See /etc/pam.ldap for a sample. You may be able to just copy /etc/pam.ldap to /etc/pam.conf. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux for more information on PAM. Configure the Name Service Switch (NSS). Save a copy of the file /etc/nsswitch.conf and edit the original to specify the ldap name service and other name services you want to use. See /etc/nsswitch.ldap for a sample. You may be able to just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4) for more information. Optionally, configure the Pam Authorization Service module (pam_authz). LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/pam_authz.conf.template. This sample file shows you how to configure the policy file to work with pam_authz. You can copy this sample file and edit it using the correct syntax to specify the access rules you wish to authorize or exclude from authorization. For more detailed information on how to configure the policy file. see PAM_AUTHZ Login Authorization . The sample /etc/pam.conf file in the man page will show you how to configure the /etc/pam.conf file to work with pam_authz. For more detailed information about pam_authz, refer to the pam_authz(5) man page. Optionally configure the disable_uid_range flag. Save a copy of the file /etc/opt/ldapux/ldapux_client.conf and edit the original to activate the disable_uid_range flag. Uncomment the flag in the [NSS] portion of the file and fill in the UID range. The format is disable_uid_range=uid#,[uid#-uid#], .... where uid# stands for uid number. For example: disable_uid_range=0-100,300-450,89 Note: White spaces between numbers are ignored. Only one line of the list is accepted, however, the line can be wrapped. The maximum number of ranges is 20.
Verify the LDAP-UX Client Services. Configure subsequent clients by running setup on those clients and specifying an existing configuration profile. Or for a simpler process see Configure Subsequent Client Systems.
Custom Configuration | |
Running the Setup program for a quick configuration, as described above, configures your client using default values where possible. If you would like to customize these parameters, proceed as follows. If you want to use SSL or TLS, you must perform the following tasks before you run the custom configuration. See “Configure the LDAP-UX Client Serivces with SSL or TLS Support” for details. Ensure that you have installed the certificate database files, cert8.db or cert7.db and key3.db, on your client system. If you choose to use TLS, set the enable_starttls parameter to 1 in the /etc/opt/ldapux/lldapux_client.conf file to enable TLS. To use SSL, set enable_starttls to 0 to disable TLS. By default, TLS is disabled.
Perform the steps described in Quick Configuration. However, after step 11, you will be asked whether you want to use SSL or not if the value of the enable_starttls parameter is 0 (disabled) or undefined. Enter "yes" to the following question if you want to use SSL for the secure communication between LDAP clients and the Netscape/Red Hat Directory Server. Enter "no" to the following question if you don't want to use SSL. Skip to step 2. Do you want to use SSL (y/n)? Otherwise, if the value of the enable_starttls parameter is 1 (enabled), you will be asked whether you want to use TLS or not. Enter "yes" to the following question if you want to use TLS for the secure communication between LDAP clients and the Netscape/Red Hat Directory Server. Enter "no" to the following question if you don't want to use TLS. Skip to step 3. Do you want to use TLS (y/n)? Next, it will prompt you for selecting the authentication method for users to bind/authenticate to the server. You have a choice between SIMPLE (the default), or SASL DIGEST-MD5 if you choose to not enable SSL. However, you have a choice between SIMPLE with SSL (the default), or SASL DIGEST-MD5 with SSL if you choose to enable SSL. LDAP-UX supports SASL DIGEST-MD5 authentication method for Netscape Directory Server 6.21 and Red Hat Directory Server 7.1 with SP2 version (B.07.10.20). If you select SASL DIGEST-MD5, two additional prompts will appear. The first will prompt you for a user mapping (UID, DN, or Other). The second will prompt you for a single realm to use when retrieving user authentication information. If no realm is specified, user information will be retrieved from the first realm the directory server offers. Skip to step 4. Next, it will prompt you for selecting the authentication method for users to bind/authenticate to the server. You have a choice between SIMPLE (the default), or SASL DIGEST-MD5 if you choose to not enable TLS. However, you have a choice between SIMPLE with TLS (the default), or SASL DIGEST-MD5 with TLS if you choose to enable TLS. If you select SASL DIGEST-MD5, two additional prompts will appear. The first will prompt you for a user mapping (UID, DN, or Other). The second will prompt you for a single realm to use when retrieving user authentication information. If no realm is specified, user information will be retrieved from the first realm the directory server offers. Specify the host name and optional port number where your directory is running. If you choose to use TLS, the default directory port number is 389. If you choose to use SSL, the default directory port number is 636. For high availability, each LDAP-UX client can look for user and group information in up to three different directory servers. You are able to specify up to three directory hosts, to be searched in order. Reply "no" when asked if you want to accept the remaining default configuration parameters. Select the client binding you want from Configuration Worksheet. This determines the identity that client systems use when binding to the directory to search for user and group information. If you configured a proxy user, enter the DN and password of your proxy user, from Configuration Worksheet. If you want to use the SASL DIGEST-MD5 authentication method, you need to configure a proxy user with its credential level. Using the SASL DIGEST-MD5 authentication, the password must be stored in the clear text in the LDAP directory. Enter the maximum time in seconds the client should wait for directory searches before aborting. Enter 0 for no time limit. Enter whether or not you want directory searches to follow referrals. Referrals are a redirection mechanism supported by the LDAP protocol. Please see your directory manuals for more information on referrals. | | | | | NOTE: If you want your directory searches to follow referrals, you must allow anonymous access into your directories. | | | | |
Enter the Profile TTL (Time To Live) value. This value defines the time interval between automatic downloads (refreshes) of new configuration profiles from the directory. Automatic refreshing ensures that the client is always configured using the newest configuration profile. If you want to disable automatic refresh or manually control when the refresh occurs, enter a value of 0. Download the Profile Periodically. In this step, the setup program initiates a dialog where you can remap the standard object class attributes to alternate attributes. You may want to do this if the attributes in your directory do not conform to the object classes defined in RFC 2307. You can remap the attributes for any of the supported services: passwd, shadow passwd, group, PAM, netgroup, rpc, protocols, networks, hosts, services and automount. | | | | | NOTE: Make sure that the attribute names are entered correctly to avoid unpredictable results later. | | | | |
Refer to RFC 2307 at http://www.ietf.org/rfc/rfc2307.txt for a description of the standard object classes and attributes. At this point, the setup program will display the following dialog: LDAP-UX Client Services supports the following services:
1.Password 7.Networks
2.Shadow passwd 8.Hosts
3.Group 9.Services
4.PAM (Pluggable Authentication Module)10.Printers
5.RPC 11.Automount
6 Protocols 12.Netgroup |
Each services uses a standard object class (defined by RFC 2307)
You can remap any of these attributes to alternate attributes.
Do you want to remap any of the standard RFC 2307 attributes? |
Enter “yes” if you want to remap attributes for any of the supported services. Then go to the “Remapping Attributes for Services” section for details of the procedures. Otherwise, if you do not want to remap attributes for any of the supported services, then enter “no” to this prompt to continue to step 13 of the setup process. In this step, the setup program initiates a dialog where you can create a custom search descriptor. A custom search descriptor allows you to specify a different search location or filter for retrieving entries for services supported by LDAP-UX Client. Each name service can have up to three different search descriptors. A custom search descriptor consists of three parts: a search base DN, scope, and filter. The client uses the search descriptors in order until it finds what it is looking for. To begin the process to create custom search descriptors, setup will prompt you for the following information: LDAP-UX Client Services supports the following services: |
1.Password 7.Networks
2.Shadow passwd 8.Hosts
3.Group 9.Services
4.PAM (Pluggable Authentication Module)10.Printers
5.RPC 11.Automount
6.Protocols 12.Netgroup |
You can create up to three custom search descriptors for each name
service to search different locations in the directory for user
and group information.
Do you want to create custom search descriptors? [No]: |
Enter 'yes' if you want to create custom search descriptors for any of the supported services. Then enter the number of the service for which you want to create a custom search descriptor. If, you do not want to create custom search descriptors, enter 'no' to this prompt to continue to step 13 of the setup process. Creating the nisObject Search FilterLDAP-UX Client Services uses the automount search filter for the automount service as default. If you want to create the nisObject search filter for the automount service to search a different location in the directory, use the following steps: Type yes for the following question and press the return key: Do you want to create custom search descriptors? [No]: yes Next, it will take you to the screen which shows you the following information: To accept the default shown in brackets, press the Return key.
search base [dc=cup,dc=hp,dc=com]:
search scope (base, one, sub) [sub]
Search filter [(objectclass=automount)] |
If you want to create the nisObject search filter for the automount service, then type (objectclass=nisObject) for the following prompt and press the Return key; otherwise press the return key to accept the default search filter, objectclass=automount: Search filter [(objectclass=automount)]: (objectclass=nisObject)
You will be asked whether or not you want to start the client daemon. For LDAP-UX Client B.03.20 or later versions, the client daemon must be started for LDAP-UX functions to work. With LDAP-UX Client B.30.10 or earlier, the client daemon is optional, and should be turned on in order to provide better prformance (response time) and for the X.500 group membership to work.
Remapping Attributes for Services | |
This section describes detailed procedures on how to perform attribute mappings for automount, dynamic group and X.500 group membership services. Attribute Mappings For Automount ServiceBy default, LDAP-UX Client Services uses the RFC2307-bis automount schema. The nisObject automount schema can also be used if configured via attribute mappings.
Use the following steps if you want to remap the automount attributes to the nisObject automount attributes: Enter yes for the following question: Do you want to remap any of the standard RFC 2307 attributes? [yes]: yes If you want to select the automount service, then enter 11 for the following question and press the return key: Specify the service you want to map? [0]:11 Next, it will take you to the screen which shows you the following information: Current Automount attribute names: |
1.automountMapName ->[automountMapname]
2.automountKey -> [automountKey]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]: |
You type 1 for the following question and press the return key: Specify the attribute you want to map. [0]:1 Next, type the attribute nisMapName that you want to map to the automountMapName attribute for the following question and press the return key: automountMapName -> nisMapName Next, it will take you to the screen which shows you the following information: Current Automount attribute names: |
1.automountMapName ->[nisMapname]
2.automountKey -> [automountKey]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]: |
If you want to specify the attribute to map to the automountKey attribute, then type 2 for the following question and press the return key: Specify the attribute you want to map. [0]:2 Next, type the attribute cn you want to map to the automountKey attribute and press the return key: automountKey -> cn Next, it will take you to the screen which shows you the following information: Current Automount attribute names: |
1.automountMapName ->[nisMapname]
2.automountKey -> [cn]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]: |
If you want to specify the attribute to map to the automountInformation attribute , then type 3 for the following question and press the return key: Specify the attribute you want to map. [0]:3 Next, type the attribute nisMapEntry you want to map to the automountInformation attribute and press the return key: automountInformation -> nisMapEntry Next, it will take you to the screen which shows you the following information: Current Automount attribute names: |
1.automountMapName ->[nisMapname]
2.automountKey -> [cn]
3.automountInformation -> [nisMapEntry]
Specify the attribute you want to map. [0]: |
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0
Attribute Mappings For Dynamic Group SupportIf you are configuring dynamic group support, you need to remap the default group member attribute, memberuid, to memberURL (for Netscape/Red Hat Directory Server) or nxsearchFilter (for HP Openview Select Access). For detailed information about dynamic group support, see “Dynamic Group Support”. Use the following steps to remap the memberuid attribute to the dynamic group attributes, memberURL or nxsearchFilter. For example, the following procedures are used to remap memberuid to memberURL: Type yes for the following question: Do you want to remap any of the stantdard RFC 2307 attributes? [yes]: yes Select the group service by entering 3 for the following question and press the return key: Specify the service you want to map? [0]: 3 Next, it will take you to the screen which shows you the following information: Current Group attribute names: |
1.cn ->[cn]
2.gidnumber -> [gidnumber]
3.memberuid -> [memberuid]
4.userpassword -> [userPassword]
Specify the attribute you want to map. [0]: |
If you want to specify the attribute to map to memberuid, then type 3 for the following question and press the return key: Specify the attribute you want to map? [0]: 3 Type the attribute, memberURL or nxsearchFilter, that you want to map to the memberuid attribute and press the return key: memberuid —> memberURL Next, it will take you to the screen which shows you the following information: Current Group.attribute names: |
1.cn ->[cn]
2.gidnumber -> [gidnumber]
3.memberuid -> [memberURL]
4.userpassword -> [userPassword]
Specify the attribute you want to map. [0]: |
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0
Attribute Mappings for X.500 Group Membership SupportIf you want to configure X.500 group membership support, you should remap the group member attribute to member or uniquemember instead of using the default attribute, memberuid. Perform the following steps for attribute mappings to set up X.500 group membership: Type yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes Select the group service by entering 3 for the following question and press the return key: Specify the service you want to map? [0]: 3 Next, it will take you to the screen which shows you the following information: Current Group attribute names: |
1.cn ->[cn]
2.gidnumber -> [gidnumber]
3.memberuid -> [memberuid]
4.userpassword -> [userPassword]
Specify the attribute you want to map. [0]: |
If you want to specify the attribute to map to memberuid, then type 3 for the following question and press the return key: Specify the attribute you want to map? [0]: 3 Type the member attribute that you want to map to the memberuid attribute and press the return key: memberuid —> member Next, it will take you to the screen which shows you the following information: Current Group.attribute names: |
1.cn ->[cn]
2.gidnumber -> [gidnumber]
3.memberuid -> [member]
4.userpassword -> [userPassword]
Specify the attribute you want to map. [0]: |
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0
|
Printable version
